Skip to content

oqs's Post-Quantum Signature scheme Rainbow level I parametersets broken

High severity GitHub Reviewed Published Aug 18, 2022 to the GitHub Advisory Database • Updated Jan 7, 2023

Package

cargo oqs (Rust)

Affected versions

< 0.7.2

Patched versions

0.7.2

Description

Ward Beullens found a practical key-recovery attack against Rainbow.
The level I parametersets are removed from liboqs starting from version 0.7.2.
Find the scientific details in Breaking Rainbow Takes a Weekend on a Laptop.

This means all the oqs::sig::Algorithm::RainbowI* variants are insecure.

References

Published to the GitHub Advisory Database Aug 18, 2022
Reviewed Aug 18, 2022
Last updated Jan 7, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-h864-m8vm-3xvj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.